Jul 1, 2018

Using SSL with Canvas

Create your own keystore and SSL certificate

  1. Open a Command Line Window using Run As Administrator
  2. Use the cd command to change the directory to the conf directory where Canvas is installed:

    cd C:CWASconf 

  3. Create your own keystore and generate a Certificate Signing Request:

    ..jrebinkeytool -genkey -alias tomcat -keyalg RSA -keystore canvas.keystore -keysize 2048 

  4. Enter a password and write it down so you can use it later:

    Enter keystore password:  

  5. Enter the details for the certificate:
    • First and last name (Common Name (CN)): Enter the domain of you are going to use for Canvas (i.e. canvas.mycompany.org) in the “first- and lastname” field.. It looks like “www.company.com” or “company.com”. NOTE: The Common Name above must match the URL people are going to use to access Canvas
    • Organizational Unit (OU): This field is optional; but can be used to help identify certificates registered to an organization, i.e. the name of the department making the request.
    • Organization (O): If your company or department, exclude any special characters such as & or @ from the name.
    • Locality or City (L): The locality field is the city or town name, for example: New York. 
    • State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: Florida
    • Country Name (C): Use the two-letter code for the country, for example: US, AU, UK, etc. 
  6. Confirm that the details are correct, type ‘y’ and press <Enter>:

    Is CN=demo.cubewise.com, OU=Unknown, O=Cubewise, L=North Sydney, ST=New South Wales, C=AU correct? 
    [no]: y 

  7. Press <Enter> and use the same password as entered in Step 4

    Enter key password for <canvas>
    (RETURN if same as keystore password): [Enter] 

  8. Generate a Certificate Signing Request (CSR) to be used by a certificate Authority (Symantec, Thawte, DigiCert, GeoTrust, Go Daddy, etc)

    ..jrebinkeytool -certreq -alias tomcat -file canvas.csr -keystore canvas.keystore 

  9. Enter the password your created in step 4:

    Enter keystore password:  

  10. Follow the steps of your Certificate Authority to purchase a new certificate using the canvas.csr file that was created in the previous step.

    NOTE: The canvas.csr file will be in the conf directory where Canvas is installed 

  11. At this point you should make a copy of the canvas.keystore file so you have a backup if you encounter problems when importing certificates

Import Your X.509 Certificate into the Key Store

  1. Open a Command Line Window using Run As Administrator
  2. Use the cd command to change the directory to the conf directory where Canvas is installed

    cd C:CWASconf 

  3. First import any root/intermediate certificate(s) as instructed by your Certificate Authority, these need to be imported BEFORE your certificate is imported:
    1. Save any root/intermediate certificates to the conf directory, i.e. root.cer
    2. Execute, replacing -alias and -file options for each certificate:

      ..jrebinkeytool -import -trustcacerts -alias root -keystore canvas.keystore -file root.cer 

    3. Enter the password from above and press enter 
  4. Import your actual certificate into the key store:
    1. Save the certificate to the conf directory, i.e. canvas.cer.
    2. Execute, the alias needs to be canvas: 

      ..jrebinkeytool -import -trustcacerts -alias tomcat -keystore canvas.keystore -file canvas.cer 

    3. Enter the password from above and press enter 
  5. If you get: Certificate reply was installed in keystore. The certificate has been successfully installed in the keystore

    If you receive this error, keytool error: java.lang.Exception: Failed to establish chain from reply, you need to install the appropriate intermediate certificates

Update the Connector Settings for the New Key Store

  1. Open conf/server.xml (in the Canvas install directory)

You will need to add the following code between <Service and <Engine section:

     <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->    <Connector           protocol="org.apache.coyote.http11.Http11NioProtocol"           port="8443" maxThreads="200"           scheme="https" secure="true" SSLEnabled="true"           keystoreFile="C:/CWAS/conf/canvas.keystore" keystorePass="password"           clientAuth="false" sslProtocol="TLS"                      URIEncoding="UTF-8"           compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json"           compression="on"           compressionMinSize="2048"    />

You can choose a different port number, in this example we are using 8443.

The server.xml file should look like this:

Finally restart the Cubewise Application Server service and you should now be able to access Canvas through the new port in this example 8443:

  • https://localhost:8443/samples

Related content

Loading related content